Browser-based iOS 'jailbreak' utilizes 'scary' PDF security hole

Posted:
in iPhone edited January 2014
The latest browser-based "jailbreak" for iOS devices, including the iPhone 4, utilizes a PDF exploit that one prominent security expert called both "scary" and "very beautiful work."



Sean Sullivan, security advisor with F-Secure Corporation, revealed on Tuesday the technical details of the jailbreak process, which is done entirely in the Mobile Safari browser. The jailbreakme.com site includes 20 separate PDFs for different combinations of hardware and firmware.



The same PDF files rely on a corrupt font, and crash the Safari browser's Compact Font Format handler.



Sullivan also linked to comments made via Twitter by security researcher Charlie Miller, who was also analyzing the code behind the browser-based jailbreak.



"Very beautiful work," Miller wrote. "Scary how it totally defeats Apple's security architecture."



While the jailbreakme.com URL itself is not intended for malicious purposes, the PDF exploit it uses could be utilized by hackers to more nefarious ends. Miller said that with this method, a hacker does not need physical access to an iPhone, iPod touch or iPad -- they just simply need to have the user visit a vulnerable website.



Last year, Miller exposed a dangerous SMS exploit that could allow a hacker to remotely control an iPhone. He notified Apple of the flaw, and the company quickly released a patch to plug the exploit.



Apple is likely to quickly act once again and plug the vulnerability that affects all iOS devices -- all models of the iPhone, iPod touch and iPad. When that happens, hackers who want to jailbreak iOS devices to run unauthorized code and operating system modifications blocked by Apple will have to find another method.



The member of the iPhone Dev Team who goes by the handle "comex" said this week that he has other potential exploits he will look to when Apple inevitably patches the PDF flaw.



"Maybe I'll rely on USB based stuff for the next jailbreak so that Apple won't patch it so fast," he said.







Ironically, jailbreakers have already developed a workaround solution that can help users avoid being hacked through the PDF exploit. Developer Will Strafach on Tuesday released an application available on the jailbroken Cydia store that will warn users when a Mobile Safari page is loading a PDF file. The solution does not patch the hole, but helps to prevent users from visiting sites with all PDF files to avoid the exploit.
«1345

Comments

  • Reply 1 of 90
    tulkastulkas Posts: 3,756member
    Charlie Miller is also the person Apple credits with reporting a very similar bug in Mac OS X, which was patched in June of this year.



    From a Computerworld interview with Charlie Miller

    Quote:

    "Not only does this elevate to the root, giving you complete control of the iPhone, but it breaks out of the sandbox," said Miller in an interview Monday, referring to the isolation technology designed to block rogue code from escaping the mobile Safari browser.



    "There's no shell on the iPhone, so [comex] had to do all that himself to get control," Miller continued. "He elevated to root, turned off all code signing, broke out of the sandbox...all in the payload of the exploit.



    "And it works every time. Not just a few times out of a hundred. But every time."



    Now, who was it that said "It's not at this point a serious issue"?
  • Reply 2 of 90
    tjwtjw Posts: 216member
    still think android is so so so much more vulnerable?
  • Reply 3 of 90
    "comprimise" - now that's professional...
  • Reply 4 of 90
    question guys, have not read anything re this question anywhere



    do you think Apple is not closing some security holes by purpose to leave a door open for the devteam ?

    i mean, i am quite sure that Apple has some very clever and smart people, they should be able to close down the iOS if they really want ?!

    we can observe that some USB security flaws are open in iOS3 and still in 4..... MS is doing a better job in patching their windows than Apple...



    thanks for your opinions.



    Greetings !
  • Reply 5 of 90
    solipsismsolipsism Posts: 25,726member
    Quote:
    Originally Posted by tjw View Post


    still think android is so so so much more vulnerable?



    This is a serious issue, no one is denying that, and there will be other vulnerabilities found in iOS throughout the years that will just as bad, but Android is designed from the ground up to be insecure for the average user. That won’t change until Android changes.
  • Reply 6 of 90
    dualiedualie Posts: 334member
    Quote:
    Originally Posted by Dave Marsh View Post


    "comprimise" - now that's professional...



    It's sure to inspire confidence in the jailbreaking team.
  • Reply 7 of 90
    maestro64maestro64 Posts: 5,005member
    so what happen to all these companies out there whose job was to find holes like this, They obviously missed this one and it must have been there for a while.
  • Reply 8 of 90
    daharderdaharder Posts: 1,580member
    Oh Well... No OS is perfect (some less/more so than others).
  • Reply 9 of 90
    emulatoremulator Posts: 251member
    Quote:
    Originally Posted by packman2002 View Post


    question guys, have not read anything re this question anywhere



    do you think Apple is not closing some security holes by purpose to leave a door open for the devteam ?



    Yes, and H2O (the rls group) was paid by Steinberg not to crack and rls Cubase... but wait, they cracked it.



    To answer your question, software is made by humans and we do make errors.
  • Reply 10 of 90
    What is "ironical" about @cdevwill's tweak, exactly? People want to modify their phones and be secure from random exploits.



    Apple left the CFF hole open, not @comex.
  • Reply 11 of 90
    Beautiful exploit. Apple will patch this one up in the next iOS release.

    We'll likely see a more malicious proof-of-concept before then.



    Doesn't make a definitive statement about iOS security. The Jailbreak team will probably always find an exploit, and in something as complicated as a smartphone OS, there will always be an exploit to find, no matter who makes it. This particular exploit is quite impressive.



    Quote:
    Originally Posted by dualie View Post


    It's sure to inspire confidence in the jailbreaking team.



    Their talent requires no exceptional skill with English spelling or grammar.
  • Reply 12 of 90
    Quote:
    Originally Posted by Tulkas View Post


    Charlie Miller is also the person Apple credits with reporting a very similar bug in Mac OS X, which was patched in June of this year.



    From a Computerworld interview with Charlie Miller



    Now, who was it that said "It's not at this point a serious issue"?



    Maybe Miller is the one responsible for the hack. He certainly has a gigantic anti-Apple chip on his shoulders for all to see.



    This will probably get roundly dismissed as mere paranoia, but I think it's both interesting and highly suspicious that this hack is so far above what any other iPhone hackers have been able to do so far.



    I mean we have to believe that somehow almost by accident, the typical iPhone hackers stumbled on this sublime and intricate attack vector, (something that only one of the best security hackers on the planet could figure out)??



    It seems more likely to me that Charlie Miller or someone of similar calibre was involved at some level and that worries me.
  • Reply 13 of 90
    drdoppiodrdoppio Posts: 1,132member
    I guess it is fortunate that those who found this vulnerability were actually interested in creating something good for the users. Think of what might have been if they were some malevolent hackers...
  • Reply 14 of 90
    alanskyalansky Posts: 235member
    Proceed at your own risk!
  • Reply 15 of 90
    cubertcubert Posts: 728member
    Very bad, Apple. Very bad, indeed.
  • Reply 16 of 90
    Quote:
    Originally Posted by alansky View Post


    Proceed at your own risk!



    Its a jailbreak endorsed by the iPhone Dev Team.

    We've been here before...



    If you want to jailbreak, here you have it.

    Just remember to change your root password afterward.
  • Reply 17 of 90
    Quote:
    Originally Posted by DrDoppio View Post


    I guess it is fortunate that those who found this vulnerability were actually interested in creating something good for the users. Think of what might have been if they were some malevolent hackers...



    Duh, they *are* malevolent hackers.



    In the first place, what they are doing isn't legal, in the second place they let loose a zero day security hole on iOS into the wild. Maybe on a good day these guys are just assh*le hackers instead of truly "malevolent" ones, but that's about it.



    They aren't doing anyone any favours. They could have easily released the jailbreak without releasing the scary, slick PDF vulnerability and used a more traditional wired method. Like almost all hackers everywhere, they just wanted to show off. With hacking it's all about ego and "cred," and pretty always has been.



    As a result, some teenager somewhere is feeling pretty sh*t-hot right now, and for the rest of us, there is a security hole in the wild.



    Great.
  • Reply 18 of 90
    If you jailbroke, download "PDF Loader Warner" from cydia
  • Reply 19 of 90
    hittrj01hittrj01 Posts: 753member
    Quote:
    Originally Posted by Xian Zhu Xuande View Post


    Its a jailbreak endorsed by the iPhone Dev Team.

    We've been here before...



    If you want to jailbreak, here you have it.

    Just remember to change your root password afterward.



    From my understanding, though, this isn't just about the official jailbreak. This exploit seemingly allows anything and anybody root access to a non-jailbroken iDevice, where bad things can and will happen. I agree that there will always be exploits, but downloading an installer and physically installing it yourself through a mac or pc is a lot different than going to a web site and "sliding to jailbreak". This is not a good thing, even if the end result in this instance is positive (a debate for another day).
  • Reply 20 of 90
    This font rendering security hole was patched in Mac OSX a couple months ago -- the fix did not make it to iOS4, and hence comex was able to use this hole there!! So easy he would have figured -- go to Apple security patches list, and see which fixes havent made it to iphone and attack!!



    http://support.apple.com/kb/HT4131
Sign In or Register to comment.